Lessons Learned from SunDEW: PRE-PRINT - SAP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Lessons Learned from SunDEW:
A Self Defense Environment for Web Applications
[PRE-PRINT]
Merve Sahin, Cédric Hebert and Anderson Santana de Oliveira
Abstract: Securing web applications is a tedious task: Current best practices range from the secure
development lifecycle to the use of a wide variety of detective and reactive measures after deployment.
Yet, these measures are not always sufficient to secure the applications. A recent idea is to provide the
application with self-defense capabilities, by enhancing it with deceptive components and adding appli-
cation specific detection points that will be used in runtime. While the idea has been partially explored
before, it is not widely adopted in the industry, because of the lack of an end-to-end comprehensive
solution, among other reasons.
In this paper we introduce SunDEW, a multi-layer deception framework to provide self-defense
capabilities to web applications. We discuss the main technical challenges when prototyping this idea and
we validate its design through a CTF based experiment. We also evaluate how the participants respond
to this defense mechanism, together with a user study. We make a number of observations to develop
more robust deception techniques even when the attackers are aware of deception. In particular, we find
that deceptive elements should be well intertwined with the application and mimic real functionality to
be more effective. Moreover, when the attackers are informed about deception, they are likely to deviate
from their regular attack path, to not interact with the application elements they find suspicious. On the
other hand, attackers’ initial reaction is to avoid automated attacks and brute-forcing the application.
Instead, they prefer to be cautious and take the time to understand the application flow first. Overall,
we observe that even if deception awareness decreases the effectiveness of deceptive elements, it adds
a deterrent factor by causing attackers to self-restrict their actions. While our study is a first step to
evaluate the robustness of application layer deception against informed attackers, our results suggest that
notifying the attackers may bring several advantages to the defenders in any case.
Citing this paper
This is a pre-print of the paper that appears in the proceedings of the MADWeb Workshop in NDSS
Symposium 2020. https://doi.org/10.14722/madweb.2020.23005Lessons Learned from SunDEW:
A Self Defense Environment for Web Applications
Merve Sahin, Cédric Hebert and Anderson Santana de Oliveira
SAP Security Research
{merve.sahin, cedric.hebert, anderson.santana.de.oliveira}@sap.com
Abstract—Securing web applications is a tedious task: Current (e.g., IPS/IDS), reducing the efficiency of attackers by wasting
best practices range from the secure development lifecycle to their time and increasing the difficulty of attack planning [58],
the use of a wide variety of detective and reactive measures [44]. At a first glance, the idea of deception may seem to
after deployment. Yet, these measures are not always sufficient to contradict Kerckhoff’s principle that a security mechanism
secure the applications. A recent idea is to provide the application should not rely on secrecy or obscurity [38]. However, as long
with self-defense capabilities, by enhancing it with deceptive
components and adding application specific detection points that
as the security of the system is not dependent on obscurity,
will be used in runtime. While the idea has been partially explored addition of deceptive elements and misdirection still provides
before, it is not widely adopted in the industry, because of the lack many advantages [6].
of an end-to-end comprehensive solution, among other reasons.
Deception has also been studied by the academic com-
In this paper we introduce SunDEW, a multi-layer deception munity since more than 20 years, however, as the concept
framework to provide self-defense capabilities to web applica- of deception can be applied to different system security
tions. We discuss the main technical challenges when prototyping areas (e.g., at the network [14], data [52], or application
this idea and we validate its design through a CTF based layers [30]), each of these remains under-explored in terms of
experiment. We also evaluate how the participants respond to this deployment methods, effectiveness, or lifecycle of deceptive
defense mechanism, together with a user study. We make a num-
techniques [31]. Several survey papers on deception attempt
ber of observations to develop more robust deception techniques
even when the attackers are aware of deception. In particular, to systematize the knowledge, and draw attention to the need
we find that deceptive elements should be well intertwined with for further research [31], [27], [48], [43].
the application and mimic real functionality to be more effective.
In this paper we focus on the use of deception and self-
Moreover, when the attackers are informed about deception, they
are likely to deviate from their regular attack path, to not interact defense techniques to help secure web applications. Web ap-
with the application elements they find suspicious. On the other plications are often the public facing components of enterprise
hand, attackers’ initial reaction is to avoid automated attacks systems, and they are exposed to a wide range of attacks.
and brute-forcing the application. Instead, they prefer to be Symantec recently reported a 56% increase of attacks on Web
cautious and take the time to understand the application flow first. service endpoints in 2018 [53]. With the rise of social engineer-
Overall, we observe that even if deception awareness decreases the ing, phishing attacks (spear phishing, email compromise, email
effectiveness of deceptive elements, it adds a deterrent factor by impersonation [32], [17], [59]) and credential stuffing [55],
causing attackers to self-restrict their actions. While our study is a attackers often start with valid credentials to access the web
first step to evaluate the robustness of application layer deception application [19]. Moreover, it often takes several months before
against informed attackers, our results suggest that notifying the
a security breach is discovered [25]. The actions that the
attackers may bring several advantages to the defenders in any
case. attacker will take during this time (exploring the system,
looking for vulnerabilities) are the motivation for planting the
deceptive elements for detection. For such cases, deception can
I. I NTRODUCTION provide an extra layer of defense in addition to the traditional
Deception, one of the oldest concepts in military strat- security measures (such as web application firewalls) that often
egy [56], has recently been gaining popularity in information implement generic measures against known attack vectors.
security field, as an extra layer of defense. Several commercial The advantage of deception is that it can be designed to be
solutions proposed as part of Moving Target Defense (MTD) specific to the application, addressing all of its capabilities and
or Run-time Application Self Protection (RASP) technologies features [61].
provide easy-to-deploy deception elements at the network,
Existing studies on application layer deception mostly
data, or application levels [20], [54], [24], [11], [34], [3].
focus on adding deceptive elements via a proxy [30], [28],
These elements are then monitored for malicious or anomalous
which is an approach that we also adopt in this work. We
behavior. Such deceptive elements are expected to result in less
extend this concept by adding further deception layers to cover
false positives compared to traditional defense mechanisms
the post-detection phase, to provide a better response action
once a malicious request is detected. A naive response action
adopted in previous studies [30], [28] is to just log the attack
Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2020 while returning a valid looking response. Note that, certain
23 February 2020, San Diego, CA, USA
ISBN 1-891562-63-0 actions like terminating the session, adding timing delays or
https://dx.doi.org/10.14722/madweb.2020.23005 temporarily blocking the application [47], [35] might tip off
www.ndss-symposium.org the attacker.In contrast to the previous work, we redirect the malicious II. R ELATED W ORK
requests to a clone of the application that serves synthetic
data. This allows to monitor the attacker’s behavior (without A. Deception in web application layer:
putting the application data at risk) in an effort to learn his real Deceptive elements for web applications have been pro-
purpose, as well as to identify the vulnerabilities he might posed to be deployed via a proxy in front of the application,
find in the application. The idea of using “clone” systems via modifying the web server, or built in the application source
was previously explored in different domains [7], [9], and was code [31]. For instance, Fraunholz et al. present a reverse
briefly discussed in the web application context [42], [47]. proxy framework that implements various deceptive techniques
Based on this idea, our first contribution is to present a and evaluate the performance overhead of the framework [28].
multi-layer deception framework for web applications, and Han et al. also propose to implement deceptive elements via
to analyze the technical and research challenges related to a reverse proxy [30]. Moreover they use a CTF exercise to
this approach. We named our framework SunDEW (Self evaluate the effectiveness of deceptive elements, and deploy
Defending Environment for Web applications), inspired from these elements in a real-world application to measure the false
the carnivorous sundew plant that attracts and traps insects positive rate. Among 150 CTF participants, 56% triggered at
with its sticky leaves1 . least one of the deceptive traps. In addition, over 7 months
of period, there were no false positive alerts triggered in
In the second part of the study, we focus on the robustness the real-world deployment. Another study [26] focuses on
of deception - that is, when the attacker is aware of this the reconnaissance phase of web attacks to identify deceptive
countermeasure - to see how to improve our framework. As countermeasures, such as delaying responses to scanning at-
deception technologies gain more popularity and commercial tempts. The countermeasures are implemented in a web server,
solutions become more widely adopted, the assumption that and evaluated against several vulnerability scanners. In our
deceptive techniques are obscure/hidden will not remain true work, we propose to use deception in multiple layers, and to
for long. For deception to be relevant in the long term, focus on the attackers’ perception and on the robustness of the
it should remain effective even if the attacker is aware of approach.
it. In fact, deception can be considered as a cryptographic
algorithm, where the deceptive elements themselves are the
secret keys [13], [36]. Previous work measures how attackers B. Use of duplicate systems for deception
react to deception in different domains (such as data or The idea of deceiving attackers with a fake environment
system layer deception) [31]. On data layer, Shabtai et al. that is a copy of the real environment has been explored in
find that awareness does not have an impact on attacker a number of studies. For instance, Anagnostakis et al. aim to
behavior [52]. On system layer, studies find that awareness reduce the false positive rate of anomaly detectors by routing
makes the defense mechanism even more powerful because it the potentially dangerous requests to an instrumented clone of
increases the cognitive load of the attacker (such as increasing the application (called a shadow honeypot) [7]. The shadow
stress and reducing the belief in success [23], [18], [24]). To application is instrumented to detect certain failures such as
the best of our knowledge, our study is the first to analyze the memory violations, and able to rollback to a known good state
impact of deception awareness on web application layer. For after an attack. Similarly, Urias et al. propose to duplicate pos-
this, we first implement a proof-of-concept of the SunDEW sible compromised machines and place them in a deceptive en-
environment, and employ it in a Capture The Flag (CTF) vironment to further observe attacker behavior [57]. Kontaxis
competition on an enterprise CTF platform (that is used for et al. propose to duplicate the entire application server multiple
internal security training). Our experiment aims to answer the times, so that the adversary cannot know if he compromised
following questions: the real server [40]. Araujo et al. [9] propose to implement
honey-patches for known vulnerabilities. A honey-patch can
• How do the attackers perceive and react to the deception detect an exploitation attempt and redirect the attacker to a
technology? decoy environment (that is a copy of the original environment
• Does deception technology remain effective even when with redacted sensitive data), while the attacker thinks the
the attacker is aware of its use? exploit was successful. This approach can be complementary
• How can the proposed framework be improved? to other forms of deception, as it is only effective for known
vulnerabilities. In a further study, authors experiment with
We find that, among the participants who were able to honey-patches in an educative CTF environment [10]. The
solve the challenge, 85% have changed their attack strategy closest idea to our study in terms of the deception framework
due to being aware of deception. While 60% of participants is presented in [42]. We enrich this idea with application
had difficulty to work around it, the most common reaction layer deception, discuss the technical and research challenges
was to avoid scripted attacks as well as using known attack it brings, provide a prototype implementation, and evaluate it
automation tools. We also find that the effectiveness of decep- with a CTF exercise.
tive elements decreases when the participants are aware of it.
One lesson learned is that, for a more robust defense system C. Impact of deception awareness
we need to design the deceptive elements well intertwined with
the application, as well as to design response actions that are Several studies in data and system layer deception analyze
realistic and that makes the deceptive elements look functional. how deception awareness affects the attackers’ decision mak-
ing process and cognition. Cohen et al. conduct controlled red
teaming experiments in a network of multiple machines, where
1 https://www.britannica.com/plant/sundew they gradually inform the participants about deception [18].
2They find out that deception awareness reduces the belief in Identifying & deploying detection
points and realistic honeytokens
success and makes participants more likely to get frustrated Proxy
and to give up early. Although most of the research questions Real Database
of the study yields in statistically insignificant results, the Web Application
authors conclude that the quality of deception is very impor-
tant for its effectiveness, and that creating content-oriented Synchronization of
already exposed data
deceptions will be necessary to deceive skilled attackers in
Identifying & redirecting the
complete attack session
Web Application
the long term. Shabtai et al. [52] analyze user behavior in an Clone
experiment where the participants act as bank employees who Monitoring & reporting
Database with
honey-data
need to approve loan requests. They can approve the loans in attacker’s actions
a legitimate or illegitimate way from which they obtain 10% Generation of
realistic fake data
or 20% commission respectively. The purpose of participants
is to maximize their profit, however they risk to be detected if Fig. 1. Overview of our deception framework and technical challenges.
they approve a honey-loan in an illegitimate way. Half of the
participants know that honey-loans were planted in the data,
while the other half only knows without details that they can These elements (such as a hidden HTTP POST parameter,
be detected if they make an illegitimate approval. The study or a URL in HTML comments) are only expected to be
finds out that, awareness of the honeytokens had no significant interacted with by attackers, not interrupting the normal us-
impact on the ratio of illegal actions taken. In other words, age. Furthermore, it is also possible to implement IDS-like,
deception awareness does not decrease the attack detection application-specific detection points to monitor any anomalies
rate. While this result is counter-intuitive, the paper states in the application behavior. To the best of our knowledge,
two possible reasons: The honey-loans may be so realistic the OWASP AppSensor project is the first to propose such
that participants could not differentiate, and there were no detection points [46], [30]. Although detection points do not
significant consequence for illegal behavior, except losing a provide straightforward deception, they can be very useful
bonus. This study shows the difficulty of experiment setup for in runtime application self defense. Application-specific de-
evaluating deception. Yuill et al. [62] analyze the psychological ceptive elements and detection points can be determined via
vulnerabilities while facing deception, that can be used in a threat modeling exercise [60], which will help to define
the context of computer security. They note that deception believable decoys as well as relevant monitoring points. In this
awareness might cause the attackers to believe that real security work we propose to combine deceptive elements with attack
vulnerabilities are deceptive methods. One study that confirms detection points to provide more extensive defense capabilities
this theory is [23]. In this study the authors conduct network to the application. Combining the existing classifications and
penetration testing experiments with red team members. The related work [31], [30], [28], [26], [46], [60], we list several
experiment has four groups where deceptive elements are examples of such elements in Table I.2 For a complete picture,
present or not, and where the participants are informed about we also add the behavior based anomaly detection points.
deception or not. After each experiment, the authors conduct a However, we believe that behavior based detection is more
survey that aims at finding cognitive, emotional and physiolog- prone to false positives and should be treated more carefully.
ical effects of deception. They find that being informed about
the presence of deception can cause self-doubt and reduce self- A note on accuracy and false positives: One purpose of
confidence. Moreover, only telling attackers that there might deceptive elements and application specific detection points is
be deception (even if the network does not have deceptive to reduce the false positive rates compared to more generic
elements) can make them more suspicious and drive them to defense methods such as Web Application Firewalls (WAF).
change their attack strategy. In our study, we aim at answering Indeed, the few studies that attempt to measure false positives
similar questions for the web application defense: We analyze report zero or very low false positive rates [15], [30], [51].
how attackers perceive deception and if being informed about Note that detection points and deception do not provide 100%
deception affects their attack strategy. protection per se, but they can provide an improvement over
only using a generic WAF or IDS. How they should be
combined with generic defenses is also an open research
III. S UN DEW: A M ULTI - LAYER D ECEPTION topic [31].
F RAMEWORK
In this section we present SunDEW, a self defense envi- B. System layer
ronment for web applications. We propose to use deception
in three layers (application, system and data [31]) so that the On the system layer, we propose to deceive the attackers
attacker’s user experience remains consistent, while the attack by redirecting them to an exact copy of the web application.
is detected and contained. An overview of the framework is Depending on the architecture, this application can run in a
given in Figure 1. Next, we explain each architectural layer of separate container or virtual machine that is well monitored.
SunDEW. Once an attack is detected, we aim to keep the attacker in the
clone application as long as possible by tainting the malicious
A. Application layer session and by redirecting all the subsequent requests. The
redirection can be implemented via a reverse proxy, as part
The simplest type of deception applied to web applications
is to embed deceptive elements in the application source code 2 The elements listed in bold have been implemented in our CTF challenge
or via a reverse proxy in front of the application [30], [28]. for experimentation (See Section IV).
3Examples Goal
- Honey HTTP GET/POST parameters [30], [28]
- Honey cookies [30]
Data - Honey HTML elements (hidden form fields, commented out URLs / account
Deceptive
credentials) [46], [30], [28] Detection
Elements
- Hyperlinks to track attacker [29]
- Honey disallow entries in /robots.txt [28], [26]
Configuration
- Honey permissions and accounts [37]
Weakness - Honey vulnerability patches [30], [9], [8]
- Web server version trickery [28], [26]
Response - HTTP response status code tampering [28], [26] Confusion
- Upload sinkholing (e.g., 200 response to PUT requests) [46]
Performance - Latency adoption [28], [26]
- Unexpected HTTP method [46]
- Unsupported HTTP Method [46]
Request Exception
- Missing/duplicated request data [46]
- Unexpected type/quantity of characters in the request [46]
Detection points Detection
- Utilization of common passwords (e.g., ”123456”) and usernames
Authentication
(e.g., ”admin”) [46]
Session - Use of another user’s session ID or cookie [46]
- Unexpected/deleted/modified cookie [46]
- Violation of input data integrity [46]
Input/Output
- Violation of black lists (e.g., SQLi or XSS patterns) [46]
- Abnormal output data (length, format, structure) [46]
- Forced browsing attempts for a non-existent / not authorized URL [46]
Access Control
- Direct object access attempts with modified GET/POST parameters [46]
- Deviation from normal GEO location [46]
Behavior analysis User Trend Detection
- Abnormal speed or frequency of use [46]
- High rate of logins/logouts to the application [46]
Authentication
- Multiple failed login attempts [46]
TABLE I. L IST OF RUNTIME APPLICATION DEFENSE TECHNIQUES .
of the application, or via a dedicated micro service in a cloud further generate test data. It would not be suited for deceptive
environment. purposes though, because it would leak sensitive data in the
clone application. In [12], the goal is to understand data
The advantages of redirecting to a clone are multi-fold: distribution by mining rules, then to sanitize sensitive data
it provides a seamless transition between the real application using a constraint solving anonymization method to generate
and the honey-environment, it enables the use of extensive honeydata. The issue with the latter is that it is not known
monitoring tools (which may slow down the application in to be resistant to re-identification and membership inference
normal use), and most importantly, it allows the attacker to attacks, as is the case for differential privacy.
continue in his attack stages, which may reveal any unknown
vulnerabilities and help us learn the ultimate objective of the In this study we do not intend to provide an exhaustive
attack. Moreover, this architecture allows to react to attacks tool with all data generation capabilities, but to provide some
immediately, rather than just logging (as proposed in some guidelines and draw attention to the need for more research in
of the previous work [30], [28]) or blocking the requests. this area. In practice, to produce realistic data, several steps
Note that the framework can also trap pentesters and legitimate are required. For instance:
vulnerability scanners in the application clone. However, the
vulnerabilities they find will still be valid, as the application • Identifying publicly available information contained in
clone is no different than the real application. database tables, such as organization names and ad-
dresses. Such elements can be copied as is to the clone
C. Data layer database.
• Identifying the sensitive attributes, whose values shall
To protect the real application data, we propose to use never appear among the fake data items (e.g., values that
a separate database instance in the application clone, with depend on the user input).
exactly the same schema, but containing synthetic data. Several • Identifying the objects with related and independent
previous works explore how to generate realistic fake data for columns in order to maintain relationships in the gen-
deception or for application testing purposes. Most of the syn- erated data.
thetic data can be automatically created using a deep learning • Recreating all attributes of all tables considered sensitive
generative model with differential privacy, as suggested in [4], in a completely synthetic manner.
and demonstrated in [21]. This approach is well adapted to
produce most of the volume from the transaction data of the Note that for direct identifiers (such as SSNs, passport
real application. In contrast to approaches using generative numbers, license plate numbers, etc.), it is possible to use ex-
models, [33] can populate empty databases by taking user input isting libraries for test data generation. For instance, Faker [22]
or computing the data distribution from existing databases, to provides a variety of pre-built data generation templates,
4enables localizing the data (e.g., selecting specific languages or and device fingerprinting in the authentication process [41],
countries for names and addresses), and it is easily extensible. [16], [5] can be useful, at least to distinguish legitimate users
from attackers and to avoid sending a legitimate user to a
D. Technical Challenges and Research Questions clone. Note that, in any case, the reverse proxy would need
to be well integrated with the authentication procedure of the
Our framework brings several challenges and open up new application, to track the current active and blacklisted sessions,
research areas. and to recognize the authentication failures and logout/login
1) Generating realistic deceptive elements: Deceptive el- events.
ements added to the application should look and feel as part 5) Remediation: If a malicious activity is detected on one
of the application, well integrated in the application context, user’s account, this account is likely to have been compro-
which is not an easy task. Currently, there is no automated mised, and any further connection with these credentials should
way of generating such elements specific to an application. be treated carefully. On the one hand, users should not be
For instance, while [30] automates the embedding of deceptive prevented from accessing the application and the system should
elements via a reverse proxy, authors still needed to go avoid sending a legitimate user to the application clone. On the
through the application to carefully select the names of the other hand, attackers may initiate parallel sessions from several
deceptive elements according to the content. The most relevant browsers or scripts, leading them to being connected to both
study in this context, [49], focuses on automatically creating the application and its clone (serving different data) at the same
honey HTML form fields for web applications. The authors time. One approach could be to immediately lock the victim’s
collect the form field names from Alexa Top 10,000 websites account [47] and to find a way to contact the real user as
and present an algorithm to select the most plausible field quickly as possible for a password change. Once the password
names for a given application. They then make a user study is changed, the old password can be used as a detection point,
where they ask 75 students to look at 50 HTML forms and ensuring all further initiated sessions via this password will be
identify which of those have honey form fields. The results consistently diverted to a clone. This approach also provides a
are significantly close to random selection, which means the remediation for the possible false positives, where a legitimate
participants were not able to identify the honey fields. While user has been redirected to the application clone.
this study provides a good basis, more techniques need to be
developed to automate the generation of different types of web 6) Deployment and scalability: Automated deployment of
honeytokens, which are content-specific, realistic, and blend in a self defense environment for a given web application would
well with the application logic. be the best way to reduce the overhead for application develop-
ers and to increase the usability of this solution. However, the
2) Fake data generation: As mentioned in Section III-C, large variety of Web technologies and frameworks makes this
automating the generation of synthetic data is another research task very difficult. Moreover, on a cloud environment where
challenge. For instance, finding out the data periodicity in the each part of the application is served via a different micro
real application (to send “fresh” data to the clone database), service, spawning clones for all services and for each attack
as well as managing the data volume over time are some of session may be impractical. Relying on a single clone for each
the problems. We also need to have a good estimation of the application, where to send all attackers, may be a potential
longevity of attacks from the same individual or group as solution, at the cost of exposing to all caught attackers the
to present them with consistent data, when they return with real data seen by each of them before detection.
the same leaked credentials. Another challenge is to faithfully
reproduce the unstructured data (including the sensitive parts) Another aspect to consider is the performance overhead
to appear realistic. of the framework. As the application or the reverse proxy
will need to parse and analyze all requests and responses, the
3) Smart data exposure: In their book, Sushil et al. [36] framework will increase the communication latency. Previous
state that the behavior of an intelligently deceptive system work [28] analyzes the performance overhead of the reverse
should be indistinguishable from the normal behavior, even proxy (without any performance optimization) and finds that
if the user has interacted with the system before. While we the effect depends on the type of tampering performed by the
propose to redirect a malicious session to the clone of the proxy, while combining multiple deceptive elements does not
application on the fly, we need to ensure that the attacker’s necessarily increase the overhead additively. In a real world
user experience will not be affected by this diversion and that deployment, performance overhead of the framework should
there won’t be discrepancies in the data visible to the attacker. be well tested not to degrade the user experience. For high
Thus, we need a mechanism to remember which part of the latency operations, it could be possible to delegate them to a
application data was already visible to the attacker before he separate component.
was detected and redirected. This can be implemented with a
monitoring service running on the real system which transfers
a copy of the data that was made visible to the user during IV. P ROTOTYPING AND E XPERIMENT D ESIGN
the current session. Once the session expires, or after a certain
amount of time, the data can be deleted. In this section we explain how we develop a prototype
for the SunDEW framework and use it for our CTF exercise.
4) Keeping the attacker trapped: To maintain the target We started by implementing a small web application with the
application protected, the attacker should be kept trapped in the Spring Boot framework [1], following the best practices for
application clone during the whole attack session, and better, the available security features such as session management,
across multiple attack sessions. While it may not be possible to access control and authentication [2]. Our application mimics a
have a perfect solution, we believe that incorporating browser hospital management software where the patients and doctors
5Proxy
flag.txt (real)
Web Application Database
Web Application
Clone
flag.txt (fake)
Docker network
Fig. 2. Overview of our deception architecture and technical challenges.
can view and modify various data, protected by role based Fig. 3. Screenshot of the SunDEW challenge description.
access control. We then made a small threat modeling exercise
to decide on the deceptive elements and detection points.
they get caught, their flag will worth less points. A screenshot
We have considered possible attacks on reconnaissance (e.g.,
of the challenge description can be found in Figure 3.
directory bruteforcing), privilege escalation, insecure direct
object reference, and weak account passwords. In contrast to Note that, we plant different flags in the real and clone
the previous work [30], [28], we also consider the response applications. Once a participant triggers a deception/detection
actions in case a deception or detection element is tampered element, his session will be redirected to the clone and if then
with. Table II lists all the elements, how they are monitored he exploits the vulnerability, he will access the flag in the clone
and the application’s reaction upon a malicious action. application (i.e., the fake flag), which worths only half of the
challenge points (100 points instead of 200). This provides the
We implemented these elements partially in the application,
incentive to care about the defense mechanism employed.
and partially via a reverse proxy written in Node.js3 . The
proxy uses several packages that allows to manipulate the To avoid the challenges related to the smart data exposure,
HTTP messages, such as cookie-parser4 and body-parser5 . we develop the CTF challenge using a simplified deception
Monitoring of the elements and the redirection procedure architecture: We use a single database instance for both the real
is also handled by the proxy. Moreover, the proxy keeps a and clone applications. This makes sure that the participants
database of session cookies together with the login-logout will not see any discrepancies in the data, when their session is
events for each user, besides the triggered deceptive elements redirected to the application clone. The challenge architecture
and the sessions that must be redirected to the clone. All of can be found in Figure 2. Moreover, to be able to monitor the
the components (the reverse proxy, applications, database) are participants individually and to avoid the issues related to using
run in separate Docker containers in a Docker network, with a single database for both applications, we create a separate
a single interface for external communications. docker network instance for each player. Finally, for analysis,
we collect httpry6 logs from the applications and the proxy,
In the next step, for the sake of the CTF challenge, we for each user.
added an XXE (XML eXternal Entity [50]) vulnerability to the
application, which will be triggered when a profile picture is Evaluation strategy. Ideally, the best way to evaluate par-
uploaded with a specific payload. In a nutshell, the application ticipants’ reaction to deception would be to make a controlled
uses a third party JAVA library that converts an uploaded experiment and inform only half of the participants about
SVG file (which is represented as XML) into a PNG file. deception. However, we avoided this for several reasons. First,
However the parsing routine of the library is flawed, which it would be unfair for the informed group as the challenge
makes it possible to read arbitrary files on the server via an difficulty increases. Second, dividing participants would mean
XXE attack [39]. Note that we chose the vulnerability after having less participants in each category, which could affect
deciding on the deception and detection elements. Moreover, the significance of the results. Finally, the CTF continues for
we were careful that the exploitation of the vulnerability does one month and participants have means to communicate about
not require interaction with these elements. Finally, we added challenges. Thus, we instead decided to conduct a survey
a hint for the participants: The /notes/todo URL commented on the participants who are able to solve the challenge. In
out in HTML source points to a todo file, which mentions a addition, we compare the detection rates with another, similar
hint about the implementation of profile picture upload. This web challenge on the CTF platform to see if participants
URL is not a deceptive element. behaved differently when they are informed about deception.
Finally, in the challenge description we give participants a Post-challenge survey. We designed this survey to analyze
valid username/password combination. The scenario is that the participants’ experience with the challenge, how they perceive
attacker obtained valid credentials from a phishing attack and deception technology, and how they change their attack behav-
can reuse them to access the application like a legitimate user. ior. The survey is presented as another challenge on the CTF
We then warn the participants that the application is protected platform, and it is worth 50 points. However, this challenge
by deception technology and runtime detection points, and if is only available to the participants who were able to get one
of the flags (real or fake) in the SunDEW challenge. As the
3 https://www.npmjs.com/package/http-proxy
SunDEW challenge is part of a large CTF competition that
4 https://www.npmjs.com/package/cookie-parser
5 https://www.npmjs.com/package/body-parser 6 https://github.com/jbittel/httpry
6Deception/Detection Element Monitored Against Reaction/Response Detection rate
Honey “Username” cookie Tampering Reset to original value 1%
Honey “Role” cookie Tampering Reset to original value 4%
Honey hidden POST parameter Tampering No effect on the response (not vulnerable) 10%
GET parameter of /view patient/id IDOR attempts HTTP 403 Unauthorized 50%
Password blacklist on authentication Blacklist of weak passwords HTTP 302 Authentication failed 8%
URL blacklist for GET requests Blacklist from dirbuster HTTP 404 Not Found 14%
SQLi blacklist for all input fields Blacklist from sqlmap No effect on the response (not vulnerable) 6%
TABLE II. L IST OF THE DECEPTION & DETECTION ELEMENTS USED IN THE CTF EXPERIMENT, AND THE INDIVIDUAL DETECTION RATES .
continues for one month and open to all employees globally, We then ask a single-answer question about how much
we had to make sure that the participants who did not work on time participants spent to research about deception technology
the challenge will not be answering the survey. Moreover, this before starting to solve the challenge. Figure 4 shows the
allows for a more refined analysis: The participants should results: only 25% of the participants researched about it for
have spent enough time and efforts on the challenge, to be more than 15 minutes, while 28% did not do any prior
able to capture the flag. In addition, they are likely to be investigation.
more experienced in information security, which allows us
to evaluate our framework against stronger attackers. The
questionnaire includes 17 questions, including single-answer,
40%
Ratio of participants
open-ended and multiple-answer ones.
30%
V. R ESULTS
20%
A. Overview
The CTF competition continued for 4 weeks in October,
10%
2019. It included 50 challenges in various categories (e.g., 0%
web, binary analysis, forensics, cryptography). More than 400 None 0-15 min 5-30 min 0-60 min More
participants was able to solve at least 1 challenge. 1 3
In total, 98 participants attempted to solve our SunDEW
Fig. 4. How much time participants spent to research about the deception
challenge. 51% of them have triggered at least one deception technology before starting the challenge.
or detection element. Table II presents, for each element, the
ratio of users who has triggered this element at least once.
2) Participants experience with the challenge: In an open-
Note that the “id” GET parameter alone was able to trick 50%
ended question, we ask participants to report any anomalous
of participants to tamper with it. 18% of the participants have
behavior they experienced during the challenge. Except few
triggered more than one element.
platform related issues, they did not report any anomalous
Overall, 28 participants were able to exploit the vulner- behavior in the application. This shows that the redirection
ability. 19 (68%) of them triggered a deceptive or detection mechanism worked well in tricking the participants. When
element at least once, while 9 (32%) did not trigger any of the we ask participants whether they think they interacted with
traps and accessed the real flag. These 28 participants were a honeypot server (instead of the real application server) at
able to answer the survey later on. Thanks to the survey, we some point in the challenge, 89% of participants answered
understand that the 9 participants who accessed the real flag “No”, while in reality 68% did interact with a honeypot.
have focused on the picture upload feature straightaway, by
following the hints that we provided in the challenge: The 3) Participants’ perception of the deception technology:
/notes/todo URL, and SVG listed as a supported file type (see To evaluate how the participants perceive the deception tech-
Section IV). nology, we first ask an open-ended question about whether
knowing about deception and runtime defense had any impact
In the next section, we will analyze the survey results to on their attack strategy. 57% of participants answered yes and
see how participants perceived deception. 43% answered no. Table III summarizes the additional expla-
nations the participants report on this open-ended question.
B. Survey results We can see that the participants whose strategy were affected
by deception take different precautions depending on how they
1) Participants’ profile: We start the survey with a few interpret the technology: Some of them avoid scanning the web
questions to learn about participants’ profile and experience. server, while some avoid tampering with cookies or trying out
Most of the participants have developer or engineer roles in XSS attacks.
their daily job, except two MSc students and a pentester.
Participants rate their information security experience as 3.7±1 We then ask a multiple-choice and multiple-answer ques-
on a scale from 1 to 5. Moreover, they rate their knowledge on tion, where we list some of the possible strategies to avoid
deception technology before solving the challenge as 2.3±1. detection and ask the participants whether they adopted any
Overall, the participants seem to be quite experienced in infor- of those behavior. Table IV lists all the answers and their
mation security field, and already familiar with the deception popularity. Overall, 75% of participants reported to avoid brute
technology. forcing. Other popular answers was to avoid automation tools
7Yes, deception had an impact on my strategy (57%) No, deception did not have any impact (43%)
– I was very careful / cautious,
- I avoid to use brute force attack.
– I did not search about deception.
- especially I didnt try tampering with the cookies .
- I investigated everything client side and interacted normally
– My idea was to first solve the challenge without taking
in the beginning.
the honeypot into account.
- I tried not to access .git and stuff, but finally still used
dirbuster as I wasnt successful otherwise after some hours.
– I was fairly certain I will have another option to solve the
– At the beginning, I tried to be quiet, without scanning the webserver
challenge once again. (But in real life I would have been
and focused purely on the svg upload. But after a while, none of my
very scared not to be detected if I attacked the application
payload worked out, so I started with the scanning, which might be
in a way that could identify me.)
loud on server side.
– I avoided automated attacks/scanning (like port scan).
– I did not find any honeypot so I am no affected.
– I tried not to access things that I was sure wasn’t authorized, like
an ID that didn’t appear. Also, avoided XSS in the text fields.
– TBH, I only read up a little and was not sure about the
– I was focusing only on the target file, not other files in the system.
technique.
– I used the URL of a colleague to try riskier stuff
– It scared me.
TABLE III. A NSWERS TO THE OPEN - ENDED QUESTION : “D ID KNOWING ABOUT DECEPTION AND RASP HAVE ANY IMPACT ON YOUR ATTACK
STRATEGY ? P LEASE EXPLAIN ?”
and scripted attacks, as well as to find the vulnerability with Finally, we observe that only a small number of participants
the least amount of interaction. Indeed, when we search for have changed their browser user-agent and session cookies.
the user-agent strings for known attack tools (e.g., Nikto, Dir- This means that browser fingerprinting can be a good way
Buster, sqlmap, Postman) or scripting languages (e.g., python- to track the attacker across different sessions.
requests, go-http, curl) in HTTP logs, we only found 13% of
survey participants to use such tools (This ratio is 15% among Later, we ask another multiple-choice, multiple-answer
the whole population of 98 participants). Thus, we observe that question to understand why the participants did not try avoid
deception technology is likely to push the attackers towards detection. Note that, we again allow all participants to answer
manual work (rather than using automation tools) and to this question, considering they may agree with some of the
be more careful in their interactions with the application. options even if they initially answered “Yes” for the strategy
Moreover, participants seem to perceive deception technology change. 43% of the participants reported they “did not know
similar to the signature based attack detection methods. On the what to do to avoid detection”, while 28% reported they
other hand, strategies that avoid the actual deception/detection “thought it was not possible to avoid detection”. Combining
points that we monitored (e.g., hidden HTML elements, forced these answers, overall 60% of participants had trouble to
browsing, GET parameters) were less popular. identify a strategy against deception. Moreover 28% stated
they “did not understand what is deception technology”, while
While in the previous open-ended question 43% of partic- only 7% stated they “did not care about earning less points
ipants reported that knowing about deception did not have an from the challenge, if they are caught”.
effect on their attack strategy, in this multiple-answer question,
two thirds of those participants have selected at least one It is interesting to note that, even though the participants
strategy they used to avoid detection. In fact, overall, the reported to be already familiar with the deception technology
behavior of 85% of survey participants were affected by and they have spent time to research about it prior to the
the notion of deception. An interesting comment was the challenge, most of them still could not determine how to
following: circumvent it. This can become an important advantage on
the defense side, as the defense strategy becomes opaque and
Although I wanted to ignore the deception, I would ambiguous to the attacker.
say knowing about it still determined my attack
path. I started to read all received files carefully (i.e. 4) Participants’ perception of deceptive elements : In the
html for every page the normal user can use), and next part of the survey, we focus on how the participants
refrained mostly from wildly changing parameters. I perceive and interact with the deceptive elements. For each
also started by simulating a real doctor to see how element, Table V summarizes the ratio of participants who
the application is supposed to behave and to see the considered it deceptive (observed from the survey), and who
normal flow of the application. have interacted (e.g., modified) with this element (observed
from the HTTP logs).
However we also observe that, even if the participants take
some precautions initially, they are likely to fall back to The first thing we notice is that the participants interact
regular attack strategies if they cannot find an attack less with the elements that they find more suspicious. While
vector. In particular, one participant reports that he “gave up most participants thought that the cookies were deceptive,
on most of these” precautions, and two other participant states they are more likely to tamper with the Role cookie, as its
that (Table III) after not being successful for a while, they misconfiguration might lead to a privilege escalation attack.
started using scanning tools. On the other hand, GET and POST parameters created less
8Strategy Ratio of participants that agree
I avoided brute-forcing the application. 75%
I tried to find the vulnerability with the least amount of interaction with the application. 60%
I did not try to login as admin/admin nor tried similar default passwords. 60%
I avoided using known automation tools (like sqlmap, dirbuster). 60%
I avoided launching scripted attacks. 53%
I searched online about deception technology to learn what kind of detection methods are used. 50%
I avoided fuzzing. 43%
I refrained from trying SQL injection. 39%
I avoided forced browsing. 32%
I avoided modifying hidden POST parameters. 28%
I avoided modifying GET parameters such as the patient ID in the URL. 25%
I used automated tools but modified them. 10%
I changed the browser user agent frequently to avoid detection. 7%
I changed the session cookie frequently to avoid detection. 3%
TABLE IV. A NSWERS TO THE MULTIPLE CHOICE QUESTION : “W HICH OF THE FOLLOWING STRATEGIES ( IF ANY ) YOU ADOPTED TO AVOID THE
DETECTION METHODS THAT WE EMPLOYED (RASP AND DECEPTION TECHNOLOGY )?”
Considered deceptive Interacted with 5) Robustness of the redirection mechanism: In our proof-
(survey) (HTTP logs)
of-concept implementation, we redirect the attackers to the
Username cookie 53% 3%
clone application by blacklisting their session cookie, once
Role cookie 61% 14%
Hidden POST parameter 28% 21%
they trigger a deception/detection element. Our proxy tracks
GET parameter id 7% 61% the subsequent changes to the session cookie (e.g., due to
login/logout events) and keeps the attacker trapped in the clone
TABLE V. A NSWER TO THE QUESTION : “W HICH OF THE FOLLOWING
APPLICATION ELEMENTS YOU CONSIDERED TO BE DECEPTIVE ?”” VS . THE
application seamlessly. However, if the attacker modifies or
RATIO OF PARTICIPANTS WHO INTERACTED WITH THE ELEMENT DURING deletes the session cookie, he will be able to escape the clone
CTF. application.
As we mentioned in Section III-D4, one possible way to
make the redirection mechanism more robust would be to use
suspicion among the participants. We then ask an open- browser fingerprinting. However this is not a perfect solution:
ended question about the reasons why these elements were Indeed, in the survey, one participant reported to connect from
considered deceptive. 21% of participants state that the cookies a different browser and in incognito mode to verify his flag
were overwritten each time, and/or the changes to the hidden before submitting.
POST parameter had no impact. Thus, these participants have
identified the deceptive elements only after interacting with To learn more about participants’ perception of deception,
them. While this is a good property for deceptive elements we ask two Yes/No questions about whether they think the
according to the previous work [30], we find that it may not use of a VPN and the modification of the browser user-agent
be enough for preserving the deception, as it may tip off the would help them mitigate detection or would make them easier
attacker about being detected. Thus, we believe that design- to get caught. Respectively, 75% and 64% of participants think
ing realistic responses is as important as designing the that these actions would make them more suspicious. Thus,
deceptive elements. Moreover, our results show that, adding being informed about deception can make the attacker less
deceptive elements that “do not interfere with the normal likely to deviate from normal usage, which could make
behavior of application” [30] may not be useful anymore when fingerprinting more effective.
the attacker is aware of deception. Instead, deceptive elements Overall, we believe that more research is needed to track
should be designed to intertwine with the application logic attackers across different attack sessions, by incorporating
and functionality to be resistant to attackers’ deception fingerprinting mechanisms or other means.
awareness. The fact that the GET and POST parameters were
found less suspicious than the cookies supports this hypothesis.
C. Effect of deception awareness in comparison to another
On the other hand, if such simple-looking elements (e.g. challenge
Role cookie) were due to bad implementation practices and
In the last part, we compare the detection rates of our
were actually vulnerable, deception awareness could deter
CTF challenge (Challenge #1) with another web challenge that
attackers from tampering with them. Moreover, naive deceptive
has an SSRF (Server Side Request Forgery [45]) vulnerability
elements might obscure the more advanced ones by exploiting
(Challenge #2). As opposed to Challenge #1, Challenge #2
the attackers’ expectations and cognitive biases [62]. Thus,
is not protected by the SunDEW environment, and there is
deploying simple deceptive elements combined with more
no deception related information mentioned in the challenge
sophisticated ones can be a good defense strategy.
description. However, we still added an additional, honey
Furthermore, 28% of the participants just stated that the cookie to Challenge #2, and collected the httpry logs to see
selected elements were looking “too suspicious” or “it is if any of the URL/Password/SQLi blacklists were violated.
the feeling” they had, without giving specific reasons. 14% Thus, in this section we only compare the detection rates of
stated that manipulating these elements would be a “too easy” the common deceptive elements that were applicable to both
solution for this challenge. of the challenges.
9Challenge #1 Challenge #2 more deceptive elements that are better integrated with the
(deception informed) (no deception)
application.
URL blacklist 13.1% 25.0%
Password blacklist 7.8% 10.5% As the deception technology becomes more popular, attack-
SQL blacklist 6.5% 0% ers may assume its existence by default, or may know about
Cookie tampering 3.9% 5.3% it. We find that, being informed about deception is likely to
Cumulative 18.4% 36.8% decrease the effectiveness of deceptive elements (at least the
TABLE VI. C OMPARISON OF DECEPTION EFFECTIVENESS WHEN THE naive ones); however, it still adds a deterrent factor and pushes
PARTICIPANTS ARE INFORMED ABOUT IT OR NOT. the attackers away from their regular attack path.
VI. C ONCLUSIONS
In total, 76 CTF participants attempted to solve both of In this paper we propose a self-defense mechanism for
these challenges, with 3̃0% of success rate (23 and 24 flaggers, web applications, that relies on using deceptive techniques on
respectively). Thus, we can say that the difficulty levels of several layers. We aim to detect an attacker via application
both challenges were similar. Table VI summarizes the ratio layer deceptive elements, redirect him to an application clone
of participants who triggered each deception/detection element, seamlessly, and serve him fake application data while we
and the cumulative results. We find that the effectiveness of monitor his actions. We develop a prototype of this framework
deception is lower when the participants are informed about and experiment with it during a Capture-The-Flag exercise.
it (18%) in comparison to not being aware of it (37%). We Our results show how the attackers perceive deception, how
also apply a two proportion z-test to see if this difference is they would try to mitigate it, and how existing deceptive
statistically significant. For the significance level of 0.05, p- elements can be improved. Although implementing such a
value of the test is 0.0088, which means the detection ability complete deception framework in real world would bring many
of deceptive elements significantly differ when the participants challenges (that we also discuss in the paper), we believe that
are aware of the use of deception. deception has the potential to become an effective defense
layer even if it is not perfectly executed. In the future work,
Note that this result contradicts the previous work on data we aim to address the open challenges we list, evaluate the
layer deception: In their study, Shabtai et al. [52] finds that performance overhead of our framework, and conduct more
“the knowledge about the existence of honeytokens did not experiments in a real-world deployment.
have a significant influence on the percentage of illegal actions
performed using honeytokens”. However, in this study, use of ACKNOWLEDGMENTS
a honeytoken brings an immediate benefit to the participants
(increasing profit) while in our study the participants may not We thank Elton Mathias, Julian Schoemaker, and the rest of
gain immediate benefit (e.g., launching a certain attack may the SAP Security Education team for providing the support to
or may not help with reaching the flag). deploy our CTF challenge on their platform. We also thank the
CTF participants for enabling this research, and the anonymous
reviewers for their valuable feedback.
D. Discussion
R EFERENCES
Our experiment is conducted as a CTF exercise, and with
[1] “Spring Boot,” https://spring.io/projects/spring-boot, 2019.
a web application that is quite small-scale, far from how a
real world hospital management application would look like. [2] “Spring Security Architecture ,” https://spring.io/guides/topicals/spring-
security-architecture, 2019.
This means the participants know that there must be a vulner-
[3] Acalvio, “Shadowplex autonomous deception,”
ability and they receive hints about where it could be located, https://www.acalvio.com/why-acalvio/, 2019.
compared to a real attack where the attacker does not know [4] E. Al-Shaer, J. Wei, K. W. Hamlen, and C. Wang, “Using deep learning
whether there is a vulnerability that is exploitable. Moreover, to generate relational honeydata,” in Autonomous Cyber Deception.
the participants are only information security enthusiasts, not Springer, 2019, pp. 3–19.
real attackers. Thus, the 51% detection rate we reported in [5] F. Alaca and P. C. van Oorschot, “Device fingerprinting for augmenting
this study may not be a good indication of the real-world web authentication: Classification and analysis of methods,” in Proceed-
effectiveness of deception. However, the CTF setup is one of ings of the 32Nd Annual Conference on Computer Security Applications,
ser. ACSAC ’16. New York, NY, USA: ACM, 2016, pp. 289–301.
the best available methods to evaluate deception [31] and the
[6] M. Almeshekah and E. Spafford, Cyber Security Deception, 07 2016,
several observations we make helps to improve the quality and pp. 25–52.
robustness of the existing deceptive techniques. [7] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos,
and A. D. Keromytis, “Detecting targeted attacks using shadow hon-
We find that, adding and removing the deceptive elements eypots,” in Proceedings of the 14th Conference on USENIX Security
only at the proxy level (like proposed in [30], [28]) may not Symposium - Volume 14, ser. SSYM’05. Berkeley, CA, USA: USENIX
be adequate in the long term. For more realistic and robust Association, 2005, pp. 9–9.
deception, it is also necessary to develop reasonable response [8] Andrew Useckas, “Why security teams need to virtual patch,”
actions, and mimic functionality for the deceptive elements (for https://blog.threatxlabs.com/why-security-teams-need-to-virtual-patch/,
example, by adding a broken admin panel to the user interface 2019.
when a honey role cookie is set to “admin”). In fact, combining [9] F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser, “From
patches to honey-patches: Lightweight attacker misdirection, deception,
naive elements with more sophisticated ones can be the best and disinformation,” in Proceedings of the 2014 ACM SIGSAC Confer-
approach to increase the ambiguity of the defense mechanism. ence on Computer and Communications Security, ser. CCS’14. New
More experiments are needed on a larger application with York, USA: ACM, 2014, pp. 942–953.
10You can also read
